The Department of Information Technology, Government of India issued a discussion draft on National Cyber Security Policy (pdf) on 26th March 2011 and invited comments on it. In our opinion this draft of the national policy is a considerable initial step and the government should be commended for being attuned to the threats and challenges facing the management of cyberspace and taking steps to address them. We feel that the document substantially addresses several areas and processes related to cyber security, particularly incident response, vulnerability management and infrastructure security.

However, we have identified some areas of improvement, including scope, ownership, resource allocation and management, technical and non-technical controls, which we present for the government’s consideration. This Takshashila policy advisory document (pdf) provides comments and feedback on the draft.

Feel free to provide your input on the original discussion draft or our response to it, in the comment section below.

Research In Motion (RIM) has been in the news of late for all the wrong reasons (some would argue equally well that they are the correct reasons). Earlier DoT India was considering blocking their service unless they provide means to listen to the encrypted data of Blackberry using RIM customers. Now comes the news that United Arab Emirates’ telecom regulators have threatened to ban RIM services in UAE and in the last few days have followed up this threat by imposing a ban on their email, web access and instant messenger service from October 11.

The U.A.E. worries that because of jurisdictional issues, its courts couldn’t compel RIM to turn over secure data from its servers, which are outside the U.A.E. even in a national-security situation, a person familiar with the situation said.

This is a stronger requirement than what is asked for (at least publicly) by India’s DoT and in a way makes more strategic sense than asking for the capability to listen in on some of the network traffic. Ensuring that the NOCs that serve Indian customers are physically located in India places it under Indian jurisdiction, allowing the government to make additional demands through legal channels including, say, asking for privacy guarantees (along the lines of European Union Data Protection Directive) or even more snooping capabilities.

“BlackBerry has assured the Ministry of Home Affairs that the issue of monitoring of the BlackBerry will be sorted out soon…I am sure we will soon be on the same page and our concerns will be addressed,” Special Security (Internal Security) in the MHA Utthan Kumar Bansal told reporters on the sidelines of a function here.

“BlackBerry has assured the Ministry of Home Affairs that the issue of monitoring of the BlackBerry will be sorted out soon…I am sure we will soon be on the same page and our concerns will be addressed,” Special Security (Internal Security) in the MHA Utthan Kumar Bansal told reporters on the sidelines of a function here.

In the last few days several mediareports have been carrying articles to the effect that according to an alleged “internal Government note” the Department of Telecom (DoT) of India will ask Research in Motion and Skype to make their content “readable”.

“DoT will call the representatives of Research In Motion (manufacturer of Blackberry devices) and Skype and ask them to ensure that the content going through the telecom service providers is in readable format. They have to ensure that this is implemented within 15 days failing which services that do not allow lawful interception on a real-time basis would be blocked/banned,” said an internal Government note. (source)

While all noise that ensued has been on the basis of a leaked note that may or may not exist (none of the reports really say who has seen this mysterious note), this author has reasons beyond the article to believe that such steps are indeed being discussed and acted on.

For those who ask whether there is international precedence on government laws and actions along same lines, look no further than the US. The Communications Assistance for Law Enforcement Act (CALEA) forces telcom providers operating in the US to provide similar support to the government. This applies to VoIP based providers too. According to the FCC website:

All facilities-based broadband Internet access providers and providers of interconnected VoIP service have until May 14, 2007 to come into compliance with CALEA. In the May 12, 2006 Commission order, the Commission found that section 107(c)(1) may not be used by entities seeking extensions for equipment, facilities, and services deployed on or after October 25, 1998 (the effective date of the CALEA section 103 and 105 requirements).

The question of whether the DoT has any legal standing in this matter is to an extent answered by the IT (Amendment) Act 2008. Amended Section 69 now reads:

(1) Where the Central Government or a State Government or any of its officers specially authorised by the Central Government or the State Government, as the case may be, in this behalf may, if satisfied that it is necessary or expedient so to do, in the interest of the sovereignty or integrity of India, defence of India, security of the State, friendly relations with foreign State or public order or for preventing incitement to the commission of any cognizable offence relating to above or for investigation of any offence, it may subject to the provision of sub-section (2), for reasons to be recorded in writing, by order direct any agency of the appropriate Government to intercept, monitor or decrypt or cause to be intercepted, monitored or decrypted any information generated, transmitted, received or stored in any computer resource.

sub-section (3) clarifies further:

(3) The subscriber or intermediary or any person in-charge of the computer resource shall, when called upon by any agency referred to in sub-section (1), extend all facilities and technical assistance to–

(a) provider access to or secure access to the computer resource generating, transmitting, receiving or storing such information; or

(b) intercept, monitor, or decrypt the information, as the case may be; or

(c) provide information stored in computer resource

The term “computer resource” is defined as follows:

(i) “computer” means any electronic magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network;

(j) “computer network” means the interconnection of one or more computers through— (i) the use of satellite, microwave, terrestrial line or other communication media; and (ii) terminals or a complex consisting of two or more interconnected computers whether or not the interconnection is continuously maintained;

(l) “computer system” means a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions;

In addition, s.118 of the IPC has been amended to recognize the use of encryption as a possible means of concealment of a ‘design to commit [an] offence punishable with death or imprisonment for life’.

It is not sure however, whether applications like Skype can be held accountable when it operates in a pure p2p manner and does not use the PSTN (which forces a central server into the picture). But the government could argue that the end peer should log all the encryption keys used in a session at the peer, thus allowing the agencies to retrieve it.

The other point that needs clarification is whether one can enforce one part of the Act without having mechanisms in place to enforce another. Sub-section (2) of section 69 states:

(2) The procedure and safeguards subject to which such interception or monitoring or decryption may be carried out, shall be such as may be prescribed.

I am no lawyer, but as a layman (a) I have no idea what that means and (b) I don’t know whether such procedures and safeguards have indeed be “prescribed”.

Update (08/07/2010): I have been told by someone who knows a lot more about legals things than me that indeed, the safeguards are a prerequisite for the actions considered under the section. The question of whether such procedures and safeguards are in place is still an open one.